cancel
Showing results for 
Search instead for 
Did you mean: 

Re: McShield service terminated unexpectedly

I am, it's a little less frequent but had a restart yesterday. Again it's only on the server with oplocks enabled.

Re: McShield service terminated unexpectedly

Thanks Steve - are you running with Patch 3 for AV8.7i ?

Also is it a scan timeout that's causing the termination ? - if so is the object being scanned particularly large or does it seem to be some sort  of arbitrary lock out ?

JIm

Highlighted

Re: McShield service terminated unexpectedly

Yes, I'm running 8.7i with patch 3 with the 5400.1158 scan engine.

The crash is being caused by a scan timeout, tried extending the time and that just holds off the inevitable restart.

It can crash on small files and not the ones in it's own folder, it does just seem to be an arbitrary lock out where the file has been opened by the server but the antivirus then tries to scan it but neither wants to back down.

It's not files being opened by the client or even in folders accessible by them it can occur on any file. I've attached a couple of the event log entries below

A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 150000 ms to complete a request.

The process will be terminated. Thread id : 7376 (0x1cd0)

Thread address : 0x7C82860C

Thread message :

Build VSCORE.14.1.0.524 / 5400.1158

Object being scanned = \Device\HarddiskVolume3\

by C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe

17018(15)(0)

17017(0)(1)

7007(0)(0)

5006(0)(0)

5004(0)(0)

5003(0)(0)

5002(0)(1)

15002(0)(0)

A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 150000 ms to complete a request.

The process will be terminated. Thread id : 7764 (0x1e54)

Thread address : 0x7C82860C

Thread message :

Build VSCORE.14.1.0.524 / 5400.1158

Object being scanned = \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\VIRUSCAN8700

by C:\Program Files\McAfee\Common Framework\McScript_InUse.exe

17018(31)(0)

17017(0)(1)

7007(0)(0)

5006(0)(0)

5004(0)(0)

5003(0)(0)

5002(0)(1)

15002(0)(0)

A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 150000 ms to complete a request.

The process will be terminated. Thread id : 6996 (0x1b54)

Thread address : 0x7C82860C

Thread message :

Build VSCORE.14.1.0.524 / 5400.1158

Object being scanned = \Device\HarddiskVolume1\WINDOWS\system32\wbem\Logs\wbemcore.log

by C:\WINDOWS\System32\svchost.exe

7005(0)(0)

7004(0)(0)

5006(0)(0)

5004(0)(0)

5003(0)(0)

5002(0)(1)

15002(0)(0)

5000(0)(0)

A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 150000 ms to complete a request.

The process will be terminated. Thread id : 4900 (0x1324)

Thread address : 0x7C82860C

Thread message :

Build VSCORE.14.1.0.524 / 5400.1158

Object being scanned = \Device\HarddiskVolume3\OnlineBackups\

by System:Remote

17018(0)(0)

17017(0)(1)

7007(0)(0)

5006(0)(0)

5004(0)(0)

5003(0)(0)

5002(0)(1)

15002(0)(0)

A thread in process C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe took longer than 150000 ms to complete a request.

The process will be terminated. Thread id : 2196 (0x894)

Thread address : 0x7C82860C

Thread message :

Build VSCORE.14.1.0.524 / 5400.1158

Object being scanned = \Device\HarddiskVolume3\virtual machines\wsusepo1

by C:\Program Files\VMware\VMware Server\vmserverdWin32.exe

17018(16)(0)

17017(0)(1)

7007(0)(0)

5006(0)(0)

5004(0)(0)

5003(0)(0)

5002(0)(1)

15002(0)(0)

Re: McShield service terminated unexpectedly

Thanks for the additional info. Steve - your findings pretty much mirror mine - though we haven't tried Patch 3 yet and excluding the reported file just seesm to allow it to fail on a different file the next time.....

I don't suppose you've tried the "opportunistic locking" "possible fix" ?

JIm

Re: McShield service terminated unexpectedly

Well my other servers all have the oplocks turned off but this server is acting as the repository for the offline files for vista and windows 7 machines.

I re-enabled it on this server as turning off the oplocks prevented those machines from sync'ing.

Re: McShield service terminated unexpectedly

Thanks Steve - so did you have this server running for a short period with oplocks disbaled and not see the problem or did any of your other servers have the problem and see it fixed by turning off the oplock ?

My servers that are being affected are hosting AV8.7i P2 for O/S AV and acting as the AV Enterprise Storage Scan servers for some NetApp hosted Filers so I'd think I could "get away" with turning off the Oplock feature if it would resolve the issue....

Jim

Re: McShield service terminated unexpectedly

I use a file based CRM software on our corporate desktops that has to have oplocks turned off by default to prevent corruption, so whenever I install a server I turn off the oplocks.

I only re-enabled it on this server when we started getting desktops with Vista which wouldn't synchronize their offline files so I moved all their home drives to this server and turned them back on at which point the resets started. None of my other servers have the issue.

Re: McShield service terminated unexpectedly

Cheers Steve - sounds like testing with oplocks off is next on my agenda.

Thanks for taking the time to respond - very much appreciated

Jim

Reliable Contributor rmetzger
Reliable Contributor
Report Inappropriate Content
Message 29 of 42

Re: McShield service terminated unexpectedly

SteveTroup wrote:

I use a file based CRM software on our corporate desktops that has to have oplocks turned off by default to prevent corruption, so whenever I install a server I turn off the oplocks.

I only re-enabled it on this server when we started getting desktops with Vista which wouldn't synchronize their offline files so I moved all their home drives to this server and turned them back on at which point the resets started. None of my other servers have the issue.

jmaxwell wrote:


Cheers Steve - sounds like testing  with oplocks off is next on my agenda.



Thanks for taking the time to  respond - very much appreciated



Jim

Steve and Jim,

I had an idea.

We seem to be at an enpass with OpLocks (off) and Offline Synchronization on Windows Vista/7 clients.

I researched a bit and came across two MS articles related to this problem.

It seems that with Windows Vista, Server 2008, Server 2008 r2, and 7, MS has enabled a new version of SMB v2 (SMB2). It is suppose to perform better, etc. However, MS took away some of the Opportunistic Locking controls present in the legacy SMB(1) protocol. (Notably, the ability to turn off OpLocks has been removed.) With SMB2 operating, OpLocks are in play. This is probably the cause of the Off-line file synchronization issue running on a server which has OpLocks Off.

According to this article: http://support.microsoft.com/kb/950836/EN-US talks about performance issues with the new SMB2 protocol built into Windows Vista, Server 2008, Server 2008 r2, and 7. The workaround is to Shut Off SMB2. All communications revert back to the legacy SMB(1) protocol.

What I propose here, is that you turn off SMB2 on the client and on the server shut off OpLocks like the other servers in this environment.


REGEDIT4


;; see http://support.microsoft.com/kb/950836/EN-US

;; Server Side controls (also set on Workstations) (Reboot needed to take effect.)
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
    "SMB2"=dword:00000000
;;  "SMB2"=-

(Simply take out the comment characters in front of the last line to reverse out this change.)

  1. I would first attempt to shut off SMB2 on the client side and test the offline synchronization.
  2. Turn off OpLocks on the client and test offline synchronization
  3. Then, I would shut off OpLocks on the server; again test the offline synchronization.

    What do you think?

    Ron Metzger

    Message was edited by: rmetzger on 4/25/10 8:28:57 AM GMT-05:00
    Thanks,
    Ron Metzger

    Was my reply helpful?
    If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

    Re: McShield service terminated unexpectedly

    HI Ron - having reviewed  the artivle you mention it does look to me as if you could be on to a valid workaround for the Vista/2008 Syny issue - not a problem in my environment but could beuseful for others.

    Jim

    More McAfee Tools to Help You
  1. Subscription Service Notification (SNS)
  2. How-to: Endpoint Removal Tool
  3. Support: Endpoint Security
  4. eSupport: Policy Orchestrator
  5. Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community